Federal and State Data Breach Laws Every Business Should Know

Posted by Edward Sharkey on Wed, 03/12/2014 - 04:00

Over the past few months, we have devoted a lot of attention to the legal issues businesses face when they experience a data breach. There are two reasons why this topic is becoming an important aspect of business litigation:

One, data breaches are unavoidable, due to the prevalence of businesses storing customers’ personally identifying information (PII) in their databases; two, a data breach can be extremely costly to a business.

Most recently, we updated readers on a case in which a medical service provider suffered a data breach when a laptop containing customers’ PII was stolen from their offices. The business had failed to take adequate precautions to protect the PII, which was unencrypted on the laptop. After the laptop was stolen, several customers’ identities were stolen. The customers sued the medical provider. The parties settled the case out of court for $3 million.

The case received attention from businesses and lawyers nationwide because of the size of the settlement and what it means for businesses in the future. Something that has been mostly overlooked in the wake of the case is that lawsuits filed by customers are not the only financial danger facing businesses after they have suffered a data breach. There are also federal and state laws on the subject, as well as federal regulatory agencies that have jurisdiction over certain instances of data breach.

For example, under the federal HIPAA laws, certain businesses are required to implement security and privacy procedures, to train their employees on those procedures, and to make notifications whenever PII has been misappropriated. Failure to comply with any of these laws can result in fines up to $50,000 for each violation.

Maryland, for its part, has enacted the Personal Information Protection Act ("PIPA"), which aims to protect customers’ PII and prevent identity theft. The Maryland PIPA law requires businesses to investigate any potential breaches and to notify affected consumers and the Maryland Office of the Attorney General when customer PII has been compromised. Failure to comply with PIPA will constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act, for which businesses may face fines of up to $1,000 per violation for a first offense, and up to $5,000 if the business is a repeat offender.

Our firm continues to monitor developments concerning data breach liability and the liability of businesses in general. If you have any question about this or a related matter, please give us a call.